Posted
by
simoniker
on Monday May 03, 2004 @12:40PM
from the you-go-girl dept.

PhrostyMcByte writes "According to The Register/SecurityFocus: 'Ex-hacker Kevin Mitnick is a hero to the small town of River Rouge, Michigan, after using his tech skills to help officials nab the culprit behind a harrowing series of bomb threats.'" According to the piece, Detective Lt. John Keck "began searching the Internet for technical guidance, which led him to Kevin Mitnick, who'd earlier demonstrated a technique for spoofing Caller ID on the specialty cable network TechTV." Mitnick's comment on the bomb hoaxer? "He wasn't really hacking... he was really just being a jerk."

I don't know about more trouble. Mitnick was in prison for five years and spent a great deal of time in solitary confinement. According to the article this kid isn't even facing any jail time but he will likely be expelled from school.

Reminds me of the movie, "Catch me if You Can [dreamworks.com]" (based on a true story). I thought it would be a horrible movie because of Leonardo DeCaprio, but his acting was great. Tom Hanks was not slouch either.

Anyways, the basic plot of the movie is that Leo is the world's most infamous check counterfeiter. Eventually he turns over to the "good guys" and joins Tom Hanks at the end of the movie. Today he provides most of the security to checks.

They didn't have the telephony-fu to ask the phone company for what they needed. The phone company, in the manner of bureaucratic twits everywhere, answered the question that was asked, not the one that needed asking.

Now, that is probably good in a subpoena situation. But if a properly identified law enforcement officer was tracking a bomb threat, I'd tell them what they needed to ask for, wait while they got the corrected subpoena, and provide the info. That is, if I worked for the phone company.

...the hoaxes unnerved some residents of the Detroit suburb, which boasts a population in the high four digits.

"It is kind of funny, I'll admit, but this is not the time for these kinds of games," says Keck.

No, it wasn't kind of funny. It was stupid... Really stupid. It wasted a lot of people's time. The bomb threat is one thing. Diverting police cars, forcing evacuations, searching for false bombs, making someone research how to track telephone calls, and having a writer tell a sensationalized story was a huge waste of time.

This had nothing to do with phone phreaking, hacking, or anything. It was a dumbass kid who made a call from a cell phone and someone doing their job and finding Mitnick (who of course was willing to look like the good-guy) to solve the problem.

> Phoning in a bomb threat to your school from your> cell phone...how do you expect not to get caught?

Actually, he got away with it. Several times.

He fell prey to the number one rule of getting caught though; not stopping. If the kid had only done it once or twice, the officer would have never sought Mitnick, would have never figured out how to query the phone companies, and the kid would have made the perfect crime.

When I worked in banking security my more experienced collegues told me that in the banking industry hundreds of millions of dollars go missing every year to organised criminals. You don't read about it in the papers because the banks don't want you to know about it.

And I'm not talking about petty credit card fraud, I mean sophisticated hacking of the international banking networks to create false transactions and electronically move the money to countries where it can be quickly and anonymously removed from the system in cash or gold.

you'd think that these sorts of losses would show up on annual reports though

I was told in one instance a big very well known bank lost several hundred million dollars in a single fraud - what must be one of the biggest bank robberies ever - and it never appeared in their annual report or anywhere else. The big banks really want to be see as safe - huge sums of money just disappearing into thin air doesn't look good!

Banks can write those losses anywhere. They do a ton of investing, and when an investment tanks, they lose money. So they just write it up as money lost in a bad investment, and its there, but you have to know what to look for to find it.

I think you missed the subject of "It is kind of funny." The young man called the bomb threat in FROM HIS CLASSROOM. Apparently he was in shop class on the cellphone dialing in a bomb threat. The fact that the childish misbehavior occurred under the noise of the school itself is the part that amused the Detective, and I would have to agree with him. It was funny.

The detective is to be applauded for his creativity in finding the culprit. And let's also have some sympathy for him, 'cause you know this outcome has got him seeing red:

The prankster confessed, and this week pleaded guilty to a single count of making bomb threats. He's not expected to spend any time incarcerated. "They're going to try to come up to some sentence that will put him on track to be more productive," says Keck.

I'll bet five bucks the kid is in the "in crowd". Football season's over, and he's sitting in "gimme an 'A'!" shop class with the other jocks, figuring out what to do after they're done lifting the cheerleaders' skirts. "Hey, I know, let's call in a bomb threat. They'll strip search the geeks while we laugh our a$$ off!"

Here in Texas, 15 year olds who aren't in the "in crowd" get sent to jail for life, and nobody even seems to care. And there are plenty of ridiculous [edweek.org] examples [cnn.com] of innocuous behavior being punished by schools.

And this kid, a serial terrorist, is going to get off with a suspension -- probably because he's some bigwig's son, or else he's on "the team". What a load of crap.

RES IPSA LOQUITUR - Lat. "the thing speaks for itself." Refers to situations when it's assumed that a person's injury was caused by the negligent action of another party because the accident was the sort that wouldn't occur unless someone was negligent.

I'd rather have a 500k carpet that ends up turning out some men who'll protect my skinny butt rather than turn the nation into a bunch of wimps.

Astroturf does not build character. More expensive equipment does not make you better players. Case in point: When I was in highschool, our track team was the best in the county even though we had the worst track (it was cinder, everyone else had rubberized). Since they've gotten the new track facility, they haven't done as well.

Tell me about it. at my school last year three jerks were accused of raping a girl in the year below them. They were let off with fines and immediately returned to school because there was doubt over whether it was rape or consensual. Why? because she'd once dated one of the guys involved for a month.

Same school, same year, kid borrows a laptop from the school for a weekend as he'd done for months, but this time didn't sign out for it correctly. Suspended and grades withheld. There you go. Borrowing a laptop without proper authorisation is a worse crime than rape in School Land.

(not to mention the ridiculousness of the logical conclusion that if you date one person you could be consenting to have forced violent sex with all their friends)

Borrowing a laptop without proper authorisation is a worse crime than rape in School Land.

The more I hear of the insane bureaucratic messups that are happening in schools, the more I realise that kids today who say "There's no use learning nuffing in school cos it don't apply to da real world" aren't being young naive and stupid... but damned insightful.

Leave adulthood for kids to become jaded & cynical dammit, don't make them that at 15!

The rape charges are brought by the state, not the school. The school cannot legally punish the kids for crimes not under their jurisdiction. If it happened on school grounds, then perhaps.

The laptop signout could not have been prosecuted by the state, as no crime was committed. He broke school rules (accidently or not) and suffered the consequences.

Nothing in your comment really gets to the point you are trying to make, that popular kids get slaps on the wrist and unpopular kids get leg irons. I don't doubt it happens, but pick more analogous circumstances if you really want to make a case.

Umm unless the rape happened on school ground during school hours, it should be left up to the local police department and DA for final punishment. And even if this rape did happen on school ground and during school hours, this type of matter should be left up to the court room decide. I assume forgeting to checkout a computer is just a school violation, therefore its up for the school to decide.

So you think you know a situation that you obviously know nothing about, based on this guy not knowing anything about the situation?

I'm so fucking sick of people dismissing rape claims because there are those who cry wolf.

(And here's a fucking novel idea - how about guys treat girls with respect and not as pieces of meat? Or how about girls get taught to respect themselves and not GO to frat parties and get trashed while wearing as little as possible?)

Or how about girls get taught to respect themselves and not GO to frat parties and get trashed while wearing as little as possible

Speaking as a guy, girls should be able to wear as little as they want to the frat party, and still beat the guys off with nothing more than saying "no": how they dress is NO excuse for a guy acting as anything other than a gentleman. (Remember, even if she's wandering around naked, you have to ask politely "Do you mind if I grope your tits?" before trying it.)

On the other hand, if they choose to drink or do drugs, they should do so willing to accept responsibility for anything they do while under the influence, whether it's spraypainting their name on a wall, driving their car into a wall, or screwing some random stranger.

How about guys treat girls with respect and not as pieces of meat?

Assholes get attention; they may be slapped more often, but if they don't have a specific target for their pickup attempts, they have good chance of getting laid, too.
Nice guys don't get slapped, but they not only don't get laid, they also don't get much in the way of moderate freindly attention from either specific or general targets as encouragement either-- they mostly get ignored.

Ergo, agressive behavior by guys is more socially rewarding in the near term, and civilized behavior is extensively under-rewarded.

Behavior that is rewarded is more often repeated; behavior that is unrewarded is less often repeated. Do the math, and you get both the "nice guys finish last" and the "guys treat girls like pieces of meat" conditions. The corollaries of how this can be changed are left as an exercise for the student.

Actually, rape has the exact same rate of flase reporting as any other violent crime, according to the FBI. And, when combined with the huge numbers of people who do not report rapes that do happen, you are dead wrong. The vast majority of rape allegations are true.

Furthermore, the situations you described with your frat could very well have been rapes. In most, if not all, states, intoxicated individuals can't give consent to have sex, and thus having sex with them is rape. The fact that the DAs didn't end up bringing charges means next to nothing. The level of proof that is needed to get a conviction in a rape case is enormous; a survivor usually has to have some kind of physical evidence. Many times, this will be washed away by the time she decides to go to the police, leaving only the opposing statements of the rapist and his victem.

Regardless of all that, please remeber that one of the most damaging things that you can do to a survivor of rape or sexual assault who discloses to you is to not believe them. Our culture already puts tons of shame and guilt them, so it's a huge deal to come out and admit to being a survivor. They are, in the vast majority of the time, telling the truth. And even if they're not, that's for the police to decide. You should just be supportive. Or just shut up and say nothing.

I had personal knowledge of most of these, and they were always consensual (albeit drunken) sex that turned into rape the next morning.

IAmNotALawyer. From what I recall of the general nature of rape laws, the key is the ability for both participants to be able to give informed consent. Thus, statutory rape is illegal based on the idea that below a certain age, the person lacks the legal capacity to make the informed decision. In the case of intoxication (be it ethanol or flunitrazepam), the person is considered legally impaired and unable to give consent. In the state where I went to college, that was codified in the date-rape law.

Of course, there was one stupid part to the law. In theory, if both the guy and girl had drinks before they met, they met up and went off to a bedroom, then when they woke up the next morning ("Aiiigh! Coyote woman/guy!") they could BOTH file rape charges under the law as written. For some reason, it really pissed people off when I pointed this out. (It made a fun test to distinguish feminists versus feminazis; the former looked thoughtful, the latter started screaming at me.)

Speaking from a personal ethical standpoint, I would say that if you knowingly choose to take a drug (like ethanol), you are morally responsible for anything you choose to do while your judgement is impaired by it. So, if the girl goes out and gets drunk, and decides to screw a guy, she should be considered responsible... in that she freely choose to enter the state of impaired judgement. This, however, is not how the law reads. Choosing to have sex is the ONLY thing you can get out from legal responsibility for when you choose to become intoxicated... which is stupid.

So (at least where I went to college), if she knew there was grain in the punch, it was legally rape, even if morally it wasn't. On the other hand, if you don't check that she knows the punch is spiked when you hand her that first glass, it may be rape on ALL accounts.

More likely explanation, this is a small town, (article says about 4 digit population) and they don't want to send a kid to jail for being stupid. If he does it again though I'm sure that he'll be deported or maybe even defenistratred.

Here in Texas, 15 year olds who aren't in the "in crowd" get sent to jail for life, and nobody even seems to care. And there are plenty of ridiculous examples of innocuous behavior being punished by schools.

I read those articles, no one got sent to jail. Just suspended. And as far as I'm concerned that's the best thing that can happen. "What? No school for 2 weeks? WooHoo!" Though, perhaps in the second article they were trying to encourage the students, I sure would have.

BTW, I don't know about YOUR highschool, but at mine, the "in crowd" might have gotten A's in English or Calculus, but everyone of them would have flunked wood shop hard. I was following you until that line. And do you happen to know if anyone got a video of that kiss in Texas? Just curious....;)

Here in my little burg 3 football players beat the crap out of some kid after school and left him unconscious in the gutter. The school took it on themselves to punnish the kids -- they recieved a couple days suspension, oddly they would be back at school in time for the next game. (In this school district the penalty for being in a fight is immediate expulsion).

I doubt it's a matter of the system not being broken. I'd say it's just more likely that Kevin is a decent guy at heart, and that's what allows/allowed him to learn from his unwise choices.

One other thing - breaking the law doesn't exactly make a person a "criminal"; they aren't suddenly some evil hateful person who only does bad things and so on. Defining a person by their actions is easy to do and is considered "reasonable" but usually results in inaccurately classifying someone's whole personality and overlooking other aspects of his or her personality and behaviour.

parent not offtopic.
*67 is the code for blocking caller-id (displays "PRIVATE" on receiving end).
too bad my high school blocked any incoming private calls, or my friend and I could have both called out from my house.
*shrug*

It sounds like the phone companies were not that interested in helping the police out. Instead the police had to ask someone else to help them out. Other wise the police wouldn't have know which information to request on the warrents.

I wounder if the phone companies would have been more helpfull if there actually was a bomb that exploded?

Instead of what should have happened: Officer: We need to catch this haxor TelCo: Ok,..., there it is!

I, on the other hand, am glad that the telephone company is not being randomly helpful, but insisting that the police go through proper channels before handing out call trace information.

Perhaps they could have told him what to ask for. But I prefer that they err on the side of citizen privacy and let the police learn to do their job through their own methods (as this officer did), rather than spending their resources (and raising customer bills) leading every nosy cop through the procedure by hand, thus encouraging its constant use for ever smaller issues and possibly giving them incorrect legal advice in the process.

I, on the other hand, am glad that the telephone company is not being randomly helpful, but insisting that the police go through proper channels before handing out call trace information.

That is ridiculous. He HAD A SEARCH WARRANT, and the telco, instead of giving him the information he had a right to recieve, they said: We don't know who placed the call, have a nice day. In other words, a cop had a warrant, and they told him to fuck off. They could EASILY have said: It came from this other provider, as

Is there a reason there isn't a standardized procedure with the phone company whereby the cops say "there was a bomb threat made at 1pm to this number" and the phone company says "these were the incoming calls and where they came from"?

Seems ridiculous that the cops in Podunk need to know how to request the info specifically.

Before anyone jumps on me about privacy issues and overzealous cops with warrants, in cases where the customer (the school in this case) agrees to have their call records searched, this wouldn't really be an issue.

River Rouge, MI (AP)- Notorious hacking mastermind Kevin Mitnick has been spotted by Michigan law enforcement teaching people how to circumvent security protocols. His peripheral involvement in a series of bomb threats has been noted by officer Keck and is being investigated.

"Armed with Mitnick's advice, Keck went back to SBC and demanded a "terminating number search" for any calls made to the high school's lines on the dates of the bomb threats."

So really all Kevin did was point out how unhelpful SBC is to law enforcement? SBC could help but wasn't asked in the right way. How is our government expected to tackle matters of national security when the major communications companies are unwilling to help unless you say the "magic words."

Of course, Markoff's book was written to sensationalize hackers and crackers, much the same as Mitnick's is to present hackers as generally benign and himself as a victim of a witchhunt (almost the same way that Cyberpunk protrayed Robert Morris as a victim) and somebody with no heroic aspects, just a venal brutality.

So it's almost too good to be true to see Mitnick in a scenario where he's the hero who saves the innocent villagers but shows no animosity towards the perpetrator, just a good helping of world-weary contempt for somebody who thinks he's an anti-hero (hacker) but isn't. He also, in the same epic tradition, shows respect for the abilities of the man who brought him down in the first place.

I would think if the police went to the phone company and asked them "we need to find out where these calls are coming from", the phone company would know what needs to be done to find out.

Man, you must've never dealt with one of the large telecom companies. They'll dance around the issue, and give you loads of crap until you ask for the exact thing that it says on their screen, word for word. Not to mention you have to figure out which of ten phone numbers to call to get to the right place, and they'l

The sad part of this is that the detective couldn't figure out what to ask for, or that SBC refused to cooperate fully. I think it's great that Mitnick gets some positive press and furthers the idea of white hat operations, but the more disturbing thing this story illuminates is how totally inept law enforcement is when it comes to tech issues.

The boy didn't even employ anything creative or hacker-like. He just dialed a number on his phone, and the authorities needed an ex-con hacker to help them with this?

I think stories like this call attention to the fact that there is a *desperate* need for more training of law enforcement people in tech issues.

actually, this all sounds pretty decent to me. It's a small town, they can't be expected to hire a hundred specialists, and so someone at the department asks for help from someone who knows more about it. And they catch the guy. What's the problem here? Sounds to me like the detective was acting like, well...a detective.

Was Mitnick the only person who could've helped them, due to his ex-con hacker status? Doubtful. Could the phone companies have been better about it? Probably. If something similar happens again, will the cops know better how to deal with it? They should.

The sad part of this is that the detective couldn't figure out what to ask for

Wait, the police detective was supposed to just know that he had to ask for a "terminating number"? I don't think so. (OTOH, you're correct for calling out SBC for requiring these "magic words" in the first place).

I look at this detective and see a guy who didn't know what to do, ADMITTED he didn't know what to do, and then found the right person to ask who DID know what to do. The guy seems pretty resourceful to me. I'll give him props, even if he didn't know what a "terminating number" is.

The boy didn't even employ anything creative or hacker-like. He just dialed a number on his phone, and the authorities needed an ex-con hacker to help them with this?

My guess is that the local PD knew it was a local kid, and knew it was a hoax. Of course, they had to treat each call as if it were real, but not worth calling up the State Police, Sheriff, FBI... don't want to run the risk of putting some town bigwig's kid in the fed pen. So the local PD kept the investigation local, used other means to keep the crime and punishment in their own jurisdiction. And wouldn't you know, the accused will not be facing jail time.

It wasn't the crime of the century, but taking place barely two weeks ahead of the fifth anniversary of the Columbine massacre, the hoaxes unnerved some residents of the Detroit suburb, which boasts a population in the high four digits. "I don't put anything past these kids now days, I really don't," says Keck.

Well, don't put anything past anyone. But it's not "these kids" that we need to worry about, it's people that are complete fucking psychopaths. Eric Harris was hateful and paranoid. So sure, he thought everyone at school was out to get him. He thought everyone everywhere was out to get him. Check out his journals and make up your own mind. [free2host.net] He lied for fun and idolized mass murderers. He wasn't targetting the people he hated specifically, he wanted to kill everyone at the school [tennessean.com]. The only reason they didn't succeed was that they were bad at making bombs, and the bombs didn't go off when they planned. In the cafeteria. At lunch time.

And psychopaths like this always think they're being bullied. That's because they're fucking paranoid and crazy. It's certainly not that kids are inherently paranoid and crazy. Yes, we need to pay more attention to children, but not because they're a threat.

Ugh. I hope that's just the cop mentality speaking. I hope most people don't actually think like that "Keck" guy.

First the detective tries this: "When the detective served a search warrant on SBC Ameritech for the source of the calls, the phone company came up dry."

Then after he talks to Mitnick and gives a more specific request: "This time, SBC tracked the calls as far as cell phone carrier Sprint PCS, and identified the specific trunks on which the calls entered the local phone network."

Why does SBC need the help of an ex-hacker to come up with the right terminology to search its own system for evidence of crime? Do phone companies treat law enforcement with the same dull contempt that they do their regular customers?

I can just imagine: "Thank you for calling SBC Ameritech's search warrant compliance department. Please listen carefully to the following options, as they have recently changed. Press 1 if you are tracking an obscene phone caller. Press 2 if you are tracking a bomber. beep Thank you. Please press 1 if the bomber is threatening a commercial address. Press 2 if the bomber is threatening a residential address. beep...."

(0) This doesn't count as a way to beat CID, but there's a general
principle to consider when contemplating ways to beat CID.
Generally, the CID signal your target sees corresponds to the owner
of the dial tone you call him from. If you call direct, you dial
from your own dial tone and your line is identified. If you call a
third party, and by whatever means manage to acquire his dial tone,
and from there dial out, it is the number associated with that
second dial tone that your target sees. Some of the ideas following
this were developed with this basic idea in mind.

(0.5) This also doesn't count, but remember that beating Caller ID as
such is only the first layer of your protection. If your calling is
sufficiently annoying or criminal, there is *always* a paper trail
(ANI data, billing data, trouble reports, *57 traces, etc) leading
back to the phone you first called from. That trail is not always
easy or worthwhile to track you down with. Whether or not the trail
is followed depends entirely upon how pissed off your target is and
how much co-operation he can get from the phone company, law
enforcement, etc.

(1) Use *67. It will cause the called party's Caller ID unit to
display "Private" or "Blocked" or "Unavailable" depending on the
manufacturer. It is probably already available on your line, and if
it isn't, your local phone company will (most likely - please ask
them) set it up for free. This is the simplest method, it's 100
percent legal, and it works. But just remember you will not be
invisible to business customers with real time ANI (like on
corporate toll free lines), or to 911, or to the mechanism that *57
triggers.

(2) Use a pay phone. Not very convenient, costs 25 or 35 cents
depending, but it cannot be traced back to your house in any way,
not even by *57. Not even if the person who you call has Mulder and
Scully hanging over your shoulder trying to get an FBI trace (sic).
Janet Reno himself couldn't subpoena your identity. It's not your
phone, not your problem, AND it will get past "block the blocker"
services. So it's not a totally useless suggestion, even if you
have already thought of it.

(3) Go through an operator. This is a more expensive way of doing it
($1.25-$2.00 per call), you can still be traced, and the person
you're calling WILL be suspicious when the operator first asks for
them, if you have already tried other Caller ID suppression methods
on them.

(4) Use a prepaid calling card. This costs whatever the per-minute
charge on the card is, as they don't recognize local calls. A lot
of private investigators use these. A *57 trace will fail but you
could still be tracked down with an intensive investigation (read:
subpoena the card company). The Caller ID will show the outdial
number of the Card issuer.

(5) Go through a PBX or WATS extender. Getting a dial tone on a PBX is
fairly easy to social engineer, but beyond the scope of this file.
This is a well-known and well-loved way of charging phone calls to
someone else but it can also be used to hide your identity from a
Caller ID box, since the PBX's number is what appears. You can even
appear to be in a different city if the PBX you are using is! This
isn't very legal at all.

(6) I don't have proof of this, but I *think* that a teleconference
(Alliance teleconferencing, etc.) that lets you call out to the
participants will not send your number in Caller ID. In other
words, I am pretty sure the dial tone is not your own.

If you RTFA, it's easy to figure out what how the prankster was blocking his caller ID.

With SprintPCS, you can call your voice mail and one of the options is to place a call. When you place a call using this method, your caller ID information isn't sent. Of course, Sprint still has logs of who you're calling so the only evil deed it's really good for is calling an ex-girlfriend and telling her you think she's fat and no good in bed.;)

Back in my day, kids that called bomb threats into the school used payphones... And they didn't get caught.

Having worked with him personally, I can tell you that Kevin **knows** what he did was wrong. He has never made any statements to the contrary. He has complained about the abuses of the Justice system that occured in his case, but he would never use those abuses to justify criminal activity.